In the Claims : 

Please cancel claims 2, 7, 9-10, 12, 14, 20-21, 26, 29-33, and 36-40 without 
prejudice, add new claims 41 and 43, and amend claims 1, 3-6, 8, 11, 13, 15-19, 22-25, 
27-28, and 34-35 as follows: 

1 . (Currently Amended) A computer-readable recording medium 
for storing a computer program for detecting a worm by monitoring a communication of 
a predetermined network segment that is connected to a network and judging whether the 
communication is executed by a worm, eauses- the computer program causing a computer 
to perform: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the worm;-and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting ; and 
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changing the setting information upon it being judged at the judging that 
the communication is executed by the worm. 

wherein the acquiring includes acquiring the information based on the 
setting information after a change . 

2. (Cancelled) 

3. (Currently Amended) The computer program according to 
claim 1, causes the computer to further pcrform A computer-readable recording medium 
for storin g a computer program for detecting a worm by monitoring a communication of 
a predetermined network segment that is connected to a network and judging whether the 
communication is executed by a worm, the computer program causing a computer to 
perform: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the worm; 
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blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting; and 

changing the judgment criteria upon it being judged at the judging that the 
communication is executed by the worm, wherein 

the judging includes judging whether the communication is executed by the 
worm based on the information acquired and the setting information after a change. 

4. (Currently Amended) The computer program computer- 

readable recording medium according to claim 1, wherein the judging includes judging 
that a communication from a computer that is in the predetermined network segment is 
executed by the worm when 

there is an increase in number of communication packets as well as number 
of destination addresses of communication packets that are transmitted from the 
predetermined network segment to the outside. 

5. (Currently Amended) The computer program according to 
claim 4 , A computer-readable recording medium for storing a computer program for 
detecting a worm by monitoring a communication of a predetermined network segment 
that is connected to a network and judging whether the communication is executed by a 
worm, the computer program causing a computer to perform: 
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acquiring information related to a traffic and a communication address of a 
communication packet based on setting information; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria: 

extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the worm; and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting. 

wherein the judging includes judging that a communication from a plurality 
of computer computers in the predetermined segment is executed by the worm when 

a communication from a computer in the predetermined network segment is 
judged previously to be executed by the worm,-and 

there is an increase in number of communication packets that are 
transmitted from the predetermined network segment to the outside, and 

the number of destination addresses of the communication packet that is 
transmitted from the predetermined network segment to the outside becomes greater than 
a number of destination addresses of a communication packet acquired when the 
communication is judged to be executed by the worm, and is transmitted from the 
predetermined network segment to the outside. 
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6. (Currently Amended) The computer program according claim 
h A computer-readable recording medium for storing a computer program for detecting a 
worm by monitoring a communication of a predetermined network segment that is 
connected to a network and judging whether the communication is executed by a worm, 
the computer program causing a computer to perform: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information: 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria: 

extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the worm: and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting. 

wherein the judging includes judging that a communication from a 
computer that is outside the predetermined network segment is executed by the worm 
when 
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there is an increase in number of responding communication packets 
corresponding to communication packets that are transmitted from outside to the 
predetermined network segment, and 

there is an increase in number of sender addresses of the responding 
communication packets. 

7. (Cancelled) 

8. (Currently Amended) The computer program according to claim 1 , 
A computer-readable recording medium for storing a computer program for detecting a 
worm by monitoring a communication of a predetermined network segment that is 
connected to a network and judging whether the communication is executed by a worm, 
the computer program causing a computer to perform: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the worm; and 



blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting, 

wherein the judging includes predicting a type of the worm by comparing 
features of a communication judged to be executed by a worm with features of a 
communication executed by a worm that is recorded in advance. 

9-10. (Cancelled) 

1 1 . (Currently Amended) The computer program according to claim 9, 
A computer-readable recording medium for storing a computer program for detecting a 
worm by monitoring a communication of a predetermined network segment that is 
connected to a network and judging whether the communication is executed by a worm, 
the computer program causing a computer to perform: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the worm; 
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blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting; and 

cutting off the communication executed by the worm upon it being judged 
that the communication is executed by the worm, 

wherein the cutting off includes cutting off the communication executed by 
the worm by making a fire wall function effective in a computer that is judged to have a 
worm. 

12. (Cancelled) 

13. (Currently Amended) A method for detecting a worm by monitoring 
a communication of a predetermined network segment that is connected to a network and 
judging whether the communication is executed by a worm, comprising: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria;-and 

extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the worm;-and 
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blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting ; and 

changing the setting information upon it being judged at the judging that 
the communication is executed by the worm. 

wherein the acquiring includes acquiring the information based on the 
setting information after a change . 

14. (Cancelled) 

15. (Currently Amended) The device according to claim H, further 
comprising A device for detecting a worm by monitoring a communication of a 
predetermined network segment that is connected to a network and judging whether the 
communication is executed by a worm, comprising: 

an acquiring unit that acquires information related to a traffic and a 
communication address of a communication packet based on setting information; 

a judging unit that judges whether the communication is executed by the 
worm based on the information acquired and a predetermined judgment criteria; 

a reference information extracting unit that extracts reference information 
for identifying a communication packet to be blocked from a plurality of communication 
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packets transmitted in the communication upon it being judged by the judging unit that 
the communication is executed by the worm; 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
network segment based on the reference information extracted by the reference 
information extracting unit; and 

a setting changing unit that changes the setting information upon it being 
judged by the judging unit that the communication is executed by the worm, wherein 

the acquiring unit acquires the information based on the setting information 
after a change. 

16. (Currently Amended) The device according to claim 1 4 , further 
comprising A device for detecting a worm by monitoring a communication of a 
predetermined network segment that is connected to a network and judging whether the 
communication is executed by a worm, comprising: 

an acquiring unit that acquires information related to a traffic and a 
communication address of a communication packet based on setting information; 

a judging unit that judges whether the communication is executed by the 
worm based on the information acquired and a predetermined judgment criteria; 

a reference information extracting unit that extracts reference information 
for identifying a communication packet to be blocked from a plurality of communication 
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packets transmitted in the communication upon it being judged by the judging unit that 
the communication is executed by the worm: 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
network segment based on the reference information extracted by the reference 
information extracting unit; and 

a setting changing unit that changes the judgment criteria upon it-is being 
judged by the judging unit that the communication is executed by the worm, wherein 

the judging unit judges whether the communication is executed by the 
worm based on the information acquired by the acquiring unit and the setting information 
after a change. 

17. (Currently Amended) The device according to claim 1 4 claim 15 . 
wherein the judging unit judges that a communication from a computer that is in the 
predetermined network segment is executed by the worm when 

there is an increase in number of communication packets as well as number 
of destination addresses of communication packets that are transmitted from the 
predetermined network segment to the outside. 

18. (Currently Amended) The device according to claim 17, A device for 
detecting a worm bv monitoring a communication of a predetermined network segment 
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that is connected to a network and judging whether the communication is executed by a 
worm, comprising: 

an acquiring unit that acquires information related to a traffic and a 
communication address of a communication packet based on setting information; 

a judging unit that judges whether the communication is executed by the 
worm based on the information acquired and a predetermined judgment criteria; 

a reference information extracting unit that extracts reference information 
for identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the communication upon it being judged by the judging unit that 
the communication is executed by the worm; 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
network segment based on the reference information extracted by the reference 
information extracting unit, 

wherein the judging unit judges that a communication from a plurality of 
computers in the predetermined segment is executed by the worm when 

a communication from a computer in the predetermined network segment is 
judged previously to be executed by the worm,-and 

there is an increase in number of communication packets that are 
transmitted from the predetermined network segment to the outside, and 
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the number of destination addresses of the communication packet that is 
transmitted from the predetermined network segment to the outside becomes greater than 
a number of destination addresses of a communication packet acquired when the 
communication is judged to be executed by the worm, and is transmitted from the 
predetermined network segment to the outside. 

19. (Currently Amended) The device according claim 11, A device for 
detecting a worm by monitoring a communication of a predetermined network segment 
that is connected to a network and judging whether the communication is executed bv a 
worm, comprising: 

an acquiring unit that acquires information related to a traffic and a 
communication address of a communication packet based on setting information; 

a judging unit that judges whether the communication is executed bv the 
worm based on the information acquired and a predetermined judgment criteria; 

a reference information extracting unit that extracts reference information 
for identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the communication upon it being judged by the judging unit that 
the communication is executed by the worm; and 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
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network segment based on the reference information extracted by the reference 
information extracting unit, 

wherein the judging unit judges that a communication from a computer that 
is outside the predetermined network segment is executed by the worm when 

there is an increase in number of responding communication packets 
corresponding to communication packets that are transmitted from outside to the 
predetermined network segment, and 

there is an increase in number of sender addresses of the responding 
communication packets. 

20-21. (Cancelled) 

22. (Currently Amended) The computer readable medium according to 
claim 12, A computer- readable recording medium for storing a computer program for 
detecting a worm by monitoring a communication of a predetermined network segment 
that is connected to a network and judging whether the communication is executed by a 
worm, the computer program causing a computer to perform: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria; 
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extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the worm; and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting, 

wherein the extracting includes summing up a number of the 
communication packets for each port number, the communication packets being 
transmitted in the communication upon it being judged that the communication is 
executed by the worm at the judging, and extracting as the reference information, a most 
frequently appeared port number of the communication packets transmitted in the 
communication upon it being judged that the communication is executed by the worm at 
the judging. 

23. (Currently Amended) The method of claim 13, A method for 
detecting a worm by monitoring a communication of a predetermined network segment 
that is connected to a network and judging whether the communication is executed by a 
worm, comprising: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information; 
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judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the worm; and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting, 

wherein the extracting includes summing up a number of the 
communication packets for each port number, the communication packets being 
transmitted in the communication upon it being judged that the communication is 
executed by the worm at the judging, and extracting as the reference information, a most 
frequently appeared port number of the communication packets transmitted in the 
communication upon it being judged that the communication is executed by the worm at 
the judging. 

24. (Currently Amended) The device according to claim 1 4 , A device for 
detecting a worm by monitoring a communication of a predetermined network segment 
that is connected to a network and judging whether the communication is executed by a 
worm, comprising: 



17 



an acquiring unit that acquires information related to a traffic and a 
communication address of a communication packet based on setting information: 

a judging unit that judges whether the communication is executed by the 
worm based on the information acquired and a predetermined judgment criteria: 

a reference information extracting unit that extracts reference information 
for identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the communication upon it being judged by the judging unit that 
the communication is executed by the worm: and 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
network segment based on the reference information extracted by the reference 
information extracting unit. 

wherein the reference information extracting unit sums up a number of the 
communication packets for each port number, the communication packets being 
transmitted in the communication upon it being judged that the communication is 
executed by the judging unit, and extracts, as the reference information, a most frequently 
appeared port number of the communication packets transmitted in the communication 
upon it being judged that the communication is executed by the judging unit. 

25. (Currently Amended) The computer program according to claim 1 , 
A computer-readable recording medium for storing a computer program for detecting a 
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worm by monitoring a communication of a predetermined network segment that is 



connected to a network and judging whether the communication is executed by a worm, 



the computer program causing a computer to perform: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria; 

extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the worm; 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting, 

wherein the extracting further includes summing up, for each type of the 
communication direction of communication of a packet transmitted out from the 
predetermined network segment or transmitted to the predetermined network segment , a 
number of the communication packets transmitted in the communication upon it being 
judged that the communication is executed by the worm at the judging, and extracting, as 
the reference information, a-type direction of the communication wherein the number of 
the communication packets is over a threshold value. 
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26. (Cancelled) 



27. (Currently Amended) The method of claim 13, A method for 
detecting a worm by monitoring a communication of a predetermined network segment 
that is connected to a network and judging whether the communication is executed by a 
worm, comprising: 

acquiring information related to a traffic and a communication address of a 
communication packet based on setting information; 

judging whether the communication is executed by the worm based on the 
information acquired and a predetermined judgment criteria: 

extracting reference information for identifying a communication packet to 
be blocked from a plurality of communication packets transmitted in the communication 
upon it being judged at the judging that the communication is executed by the worm; and 

blocking the communication packet that is transmitted between the 
predetermined network segment and the outside of the predetermined network segment 
based on the reference information extracted at the extracting. 

wherein the extracting further includes summing up, for each typo of the 
communication direction of communication of a packet transmitted out from the 
predetermined network segment or transmitted to the predetermined network segment , a 
number of the communication packets transmitted in the communication upon it being 
judged that the communication is executed by the worm at the judging, and extracting, as 
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the reference information, a-type direction of the communication wherein the number of 
the communication packets is over a threshold value. 

28. (Currently Amended) The device according to claim 1 4 , A device for 
detecting a worm by monitoring a communication of a predetermined network segment 
that is connected to a network and judging whether the communication is executed by a 
worm, comprising: 

an acquiring unit that acquires information related to a traffic and a 
communication address of a communication packet based on setting information; 

a judging unit that judges whether the communication is executed by the 
worm based on the information acquired and a predetermined judgment criteria; 

a reference information extracting unit that extracts reference information 
for identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the communication upon it being judged by the judging unit that 
the communication is executed by the worm; and 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
network segment based on the reference information extracted by the reference 
information extracting unit, 

wherein the reference information extracting unit further sums up, for each 
type of the communication direction of communication of a packet transmitted out from 
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the predetermined network segment or transmitted to the predetermined network 
segment , a number of the communication packets transmitted in the communication upon 
it being judged that the communication is executed by the judging unit, and extracts, as 
the reference information, a-type direction of the communication wherein the number of 
the communication packets is over a threshold value. 

29-33. (Cancelled) 

34. (Currently Amended) The device according to claim 33, A device 
for cutting off a communication executed by a worm by monitoring the communication 
between a predetermined network segment and outside of the predetermined network 
segment, comprising: 

a worm judging unit that judges whether a communication is executed by 

the worm; 

a reference information extracting unit that extracts reference information 
for identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the communication upon it being judged by the worm judging unit 
that the communication is executed by the worm; and 

a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
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network segment based on the reference information extracted by the reference 
information extracting unit 

wherein the reference information extracting unit sums up a number of the 
communication packets for each port number, the communication packets being 
transmitted in the communication upon it being judged that the communication is 
executed by the worm judging unit, and extracts, as the reference information, a most 
frequently appearing port number of the communication packets transmitted in the 
communication upon it being judged by the worm judging unit that the communication is 
executed by the worm. 

35. (Currently Amended) The device according to claim 3 3, A device 
for cutting off a communication executed by a worm by monitoring the communication 
between a predetermined network segment and outside of the predetermined network 
segment, comprising: 

a worm judging unit that judges whether a communication is executed bv 

the worm; 

a reference information extracting unit that extracts reference information 
for identifying a communication packet to be blocked from a plurality of communication 
packets transmitted in the communication upon it being judged by the worm judging unit 
that the communication is executed bv the worm; and 
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a blocking unit that blocks the communication packet that is transmitted 
between the predetermined network segment and the outside of the predetermined 
network segment based on the reference information extracted by the reference 
information extracting unit, 

wherein the reference information extracting unit further sums up, for each 
type of the communication direction of communication of a packet transmitted out from 
the predetermined network segment or transmitted to the predetermined network 
segment , a number of the communication packets transmitted in the communication upon 
it being judged by the worm judging unit that the communication is executed by the 
worm, and extracts, as the reference information, a-type direction of the communication 
wherein the number of the communication packets is over a threshold value. 

36-40. (Cancelled) 

4 1 . (New) The computer-readable recording medium according to 

claim 3, wherein the judging includes judging that a communication from a computer that 
is in the predetermined network segment is executed by the worm when 

there is an increase in number of communication packets as well as number 
of destination addresses of communication packets that are transmitted from the 
predetermined network segment to the outside. 
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42. (New) The computer-readable recording medium according to 
claim 6, wherein the judging includes judging that a communication from a computer that 
is in the predetermined network segment is executed by the worm when 

there is an increase in number of communication packets as well as number 
of destination addresses of communication packets that are transmitted from the 
predetermined network segment to the outside. 

43. (New) The computer-readable recording medium according to 
claim 8, wherein the judging includes judging that a communication from a computer that 
is in the predetermined network segment is executed by the worm when 

there is an increase in number of communication packets as well as number 
of destination addresses of communication packets that are transmitted from the 
predetermined network segment to the outside. 
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